Intranet

Target IP: 10.10.126.158

The web application development company SecureSolaCoders has created their own intranet page. The developers are still very young and inexperienced, but they ensured their boss (Magnus) that the web application was secured appropriately. The developers said, "Don't worry, Magnus. We have learnt from our previous mistakes. It won't happen again". However, Magnus was not convinced, as they had introduced many strange vulnerabilities in their customers' applications earlier.

Magnus hired you as a third-party to conduct a penetration test of their web application. Can you successfully exploit the app and achieve root access?


Scanning

15df982ff8c09583e1537fadac08fc49.png
There are six TCP ports open on the target machine. The HTTP application on port 80 and 8080 are interesting. I will start enumeration with these ports.


Enumeration

Port 8080: HTTP
de1f1a3019765cf64a8b293a0bed7e8e.png
Performing a directory search using feroxbuster shows the interesting result above.

e29593602e9dd5ff0be0a7ec818bcb35.png
The webpage above is shown for this application. This login page requires an email and password.

6c4297a29be35a09a532e77f51256602.png
The source-code of the HTML page contains the interesting HTML comment above. The username anders is helpful, and the format of the email <name>@securesolacoders.no. There are two usernames I obtained anders@securesolacoders.no and devops@securesolacoders.no. I also tried the username admin@securesolacoders.no and got a hit stating the password is incorrect. Maybe bruteforcing is possible with the usernames? I tried running rockyou.txt but I had no luck. Time to create personalised usernames and passwords list.

4d57f0e3838e130ad890b6bf3b1fed7d.png
Using the usernames from above, and the HTML comments as the passwords. I created two lists. I used the online password generator from above to create the possible passwords.


Exploitation

30fc3c9df85e8c782f78b5eddc55e3b1.png
Running the command hydra -L usernames -P passwords 10.10.126.158 -s 8080 http-post-form "/login:username=^USER^&password=^PASS^:Error", I had success with anders@securesolacoders.no:securesolacoders2022.

217ed997fa852da219de6347d5530982.png
After logging in with the details above, the webpage above is displayed. It looks like an SMS with four digits are sent to the number. Time to bruteforce this again. I input a random four digit number and it did not accept it.

eee95591f2dd4d5b2e81b33097b4bf0d.png
I had to research further on how to perform bruteforcing using hydra with cookie as the value. The article above showed me how.

40cd5e17be2082445f479d45a03af518.png
I created a file called sms that contains the numbers from 1000 to 9999. I also obtained the cookie of the user I logged in using the Dev tools from the mozilla browser.

293e5c068b096303fc5909b9f6bbc49c.png
Then running hydra with the command hydra -l anders@securesolacoders.no -P sms 10.10.126.158 -s 8080 http-post-form "/sms:sms=^PASS^:H=Cookie: session=eyJ1c2VybmFtZSI6ImFuZGVycyJ9.ZL_4Rw.YxHDdTIM2doNLmKcTnA1o-z7wfY:Error" gave me a hit on the SMS code 1341.

009aed80e3ef91067866f9aeb56052bf.png
And it worked! I gained access to the portal now. After doing some enumeration, I find the Internal News section interesting. There is a button called Update. I ran Burpsuite and intercepted the request after pressing this button. An interesting parameter called news is shown.

321654bb2feccfaea3673b79eb9259e7.png
I was able to obtain the /etc/passwd file using the news parameter, as shown above. Using this parameter and sending ../../../../../../proc/self/cmdline returns the string /usr/bin/python3/home/devops/app.py.

0daca8beaabe305a7ea50a60ef47dffa.png
And now I have access to the source code of the application. I copied the source code to a text file.

faf4cc9f09442f6e4183f9527da6dfe2.png
Viewing the source-code shows the admin@securesolacoders.no is not allowed.

4e2c11a70fc3bb13cec6b3c712c2c6bb.png
But there is an interesting section for the admin user. The goal now is to decode the secret key to get a session as the admin user.

510b33bbd87f97343c1bb03f24246527.png

a98da75dea6e5b4e33488f57387af340.png
I obtained the secret key.

d278dc7de15613f2427ff851d5951a3a.png
A new session cookie as the admin with the secret key.

531f8548c9740ba972806376bb8dddc8.png
44f0746eb8740f08944e7a618cc3b590.png
With the new admin session cookie, I requested the /admin page. And it worked! I have access to the admin page with the new admin session cookie I generated. Now I have access as the admin, I can use the debug feature to get a shell.

a93987abb1b444b8cfc0b1a54c91e7a4.png
Now I have a reverse shell connection from the target machine on port 8443. I used Python reverse shell script. I tried a few different payloads but they did not work.


Privilege Escalation

125238aa67a82362e6723a912946ca5b.png
Running ps -auxw shows the web application on port 80 is running as the user anders.

c8b1c66199e57dabbfaabc61d3e679bd.png
And I have full privileges over this directory. I can put a simple web-shell here and upgrade it to a full reverse shell connection to obtain a session as anders here.

6c7a2c6fde92c58bcf64787b59280483.png
I created a PHP Pentest Monkey reverse shell file called shell.php on my local machine. And then on the target machine, I downloaded this using wget.

dde53925ead9abe1413b20c22d01d915.png
I started a listener on port 8444, visited shell.php, and obtained a reverse shell connection as anders.

9ba435cb0307b4b45e3ee022dee288e4.png
Running a LinPeas shows the envvars can be written.

5620ef870c870f8ab7872574b280c94d.png
12430ae2423faaa3bb9d3b324d7454ba.png
I changed the SUID bit of bash. After restarting the apache application on port 80 with the session as anders, the change is made as we can see using the devops session.

d8720dc24cbf4d699209cb39c820445b.png
Using the devops sesssion, I used bash -p to spawn a root shell.


Flags

e39a480a22e00f3e16c6740ee20fb08f.png
The first user.txt flag once I gained a foothold on the machine.

1d03afde1e0f063509e5a72c7aef84b9.png
The user2.txt flag once I gained a reverse shell connection as anders.

d69a5d98f84f13376c3c6bcb8ee086d3.png
The root.txt flag.